And don't forget you need to tighten up the other components also:
Thank you for your prompt reply.
I had gone through with the provided link and also the following link but I have some confusion e.g.
Can you share some other valuable notes beside the documentation or the best practices to handle this change carefully and flawlessly?
Depending on how you obtained the certificate and the private key, please follow the procedure below.
If you're about to create the key and certificate key to get it signed - please start from beginning, if you're expecting to get certificate(s) and the key from your team please start from 4 - in this case please also make sure that the key is saved in RSA format.
RSA private key should contain the following string in it:
-----BEGIN RSA PRIVATE KEY-----
So, here's the meat:
1. Create key (if you haven't received they key and cert from issuer and you will be generating key and cert request):
keytool -genkeypair -keyalg rsa -keystore [keystorename].jks -storepass [keystorepassword] -alias [alias]
2. Create cert request using names defined in previous step:
keytool -certreq -alias [alias] -keystore [keystorename].jks -storepass [keystorepassword] -file my_new_cert.csr -validity[number of days]
3. Send certificate request file (my_new_cert.csr in this example) out to sign
4. Make sure your certificate is in Base64 X509 format, if not - make proper conversion:
(a) In case you received your signed cert from root CA:
(b) In case you received your signed cert from non-root CA:
If the certificate was not issued by a trusted CA, the connecting device will then check to see if the certificate of the issuing CA was issued by a trusted CA,
and so on until either a trusted CA is found. In case the trusted CA is not found - warning message is being displayed. Chain file provides correct certificate path.
In our example following command will create the chain:
type signed_cert.cer intermediate.cer root.cer > chain.txt
5. Convert exported PKCS12 binary file to PEM format (or convert from whatever format you got it from your issuer if you got it along with certificate)
openssl.exe pkcs12 -in [path.to]pkey.p12 -nodes -nocerts -out [path.to]pkey.pem"
6. Configure the following settings in the common.properties file:
Point connector.ssl.SSLCertificateFile to the signed certificate file converted to X509 (signed_cert.cer)
Point connector.ssl.SSLCertificateKeyFile to the key you generated using the keytool, for example pkey.pem.
Point connector.ssl.SSLCertificateChainFile to the chain of certificates, that is chain.txt you created by joining the contents of cer files.
7. Set the key password.
I hope this will clarify the SSL certificate installation a bit.
Appreciate your effort in breaking down the steps. It's more clear this way. May I ask:
1) I have 3 files received from customer. How can I distinguish root and non-root CA? Which files do I need to convert?
2) To create certificate chain, can I just simply type in the command in cmd?
3) What does PKCS12 binary file referring to? is it referring to the output file in step 4?
Need your help here. I've done the same procedurer for CAS as described here but faced with the error java.lang.exception: cannot create new ssl.
Basically TCP443 is open,
What I've not done is the step #5. Which certificate should I convert to PEM and why its needed, if common.properties file contains link only to CER, chain and private key
Looking forward for your help
Thanks in advance
These are the settings we use at Optum for SSL Certificates on ADS/CAS.
common.properties --> connector.ssl.enabled=true
common.properties --> connector.ssl.SSLEnabled=true
common.properties --> connector.ssl.SSLCertificateFile
dcrum-optum.cer = Certificate Only (No Root Chain, No Private Key)
common.properties --> connector.ssl.SSLCertificateKeyFile
dcrum-optum.key = RSA Private Key (no password) Base64 (OpenSSL)
common.properties --> connector.ssl.SSLCertificateChainFile
dcrum-optum.pem = Root Chain Only, Base64 (OpenSSL)
Rename CAS\wwwroot\WEB-INF\notInclude-web-redirection.xml to web-redirection.xml for HTTP 80 to HTTPS 443 redirection.
Restart ADS/CAS Service
For RUM Console
dcrum-optum.pfx = Certificate, Private Key, and Root Chain PKCS#12,
alias = jetty
Use keytool to delete the existing mykey and/or jetty alias
"RUM Console\jre\bin\keytool" -keystore "RUM Console\workspace\configuration\jetty\etc\keystore" -delete -alias mykey -storepass jettypasswd
"RUM Console\jre\bin\keytool" -keystore "RUM Console\workspace\configuration\jetty\etc\keystore" -delete -alias jetty -storepass jettypasswdUse keytool to import the new PKCS12 dcrum-optum.pfx file into the JKS.
"RUM Console\jre\bin\keytool" -importkeystore -deststorepass jettypasswd -destkeypass jettypasswd -destkeystore "RUM Console\workspace\configuration\jetty\etc\keystore" -srckeystore $pfx -srcstoretype PKCS12 -alias jetty
Restart RUM Console Service